This section allows the user to create web content rules. These rules will be marked as policy violation rules. For each tag specified in the Content section there will be 2 rules created, one for DNS and one for TLS.
To add a new web rule, click the Add Web Rule button on the Basic tab. The Name is only for reference while the Content is what the rule will match. For example entering facebook into the Content section would apply to all web traffic that has the word facebook in the URL or TLS exchange. A single rule can contain multiple strings separated by a comma.
The Action controls what will happen when traffic matches the Content. An Alert action will only log the traffic but will not stop it. A Drop action will silently discard the traffic. A Reject action has different outcomes depending on the Mode:
- In IDS mode, traffic matching a REJECT rule will cause a TCP/ICMP error to be sent to the source and destination. Records of the traffic can be located in the IDS/IPS log on the Ecessa device.
- In IPS mode, traffic matching a DROP/REJECT rule will be discarded. Connections with traffic matching a DROP/REJECT rule will time out or report an error. Records of the dropped traffic can be located in the IDS/IPS log on the Ecessa device.